CVE-2025-64459 is a severe SQL injection vulnerability identified in the Django web framework versions 5.1 (prior to 5.1.14), 4.2 (prior to 4.2.26), and 5.2 (prior to 5.2.8). The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89) within the ORM layer of Django. Specifically, the QuerySet methods filter(), exclude(), and get(), as well as the Q() class, are vulnerable when a specially crafted dictionary is passed using dictionary expansion as the _connector argument. This allows an attacker to inject arbitrary SQL code into queries constructed by these methods, bypassing Django’s usual ORM protections. The flaw affects the integrity and confidentiality of the database by potentially allowing unauthorized reading or modification of data. Exploitation requires no authentication or user interaction and can be performed remotely, increasing the risk profile. Although no exploits have been observed in the wild yet, the high CVSS score of 9.1 (critical) reflects the ease of exploitation and the severity of impact. The vulnerability affects supported Django versions 5.1, 4.2, and 5.2, and earlier unsupported versions may also be vulnerable. The Django project has acknowledged the issue and released patches in versions 5.1.14, 4.2.26, and 5.2.8 to remediate the vulnerability.

For European organizations, this vulnerability poses a critical risk to web applications built on affected Django versions. Successful exploitation can lead to unauthorized data disclosure, data tampering, and potential compromise of backend databases, severely impacting confidentiality and integrity. Organizations handling sensitive personal data, financial information, or critical infrastructure data are particularly vulnerable, with potential regulatory and reputational consequences under GDPR and other data protection laws. The vulnerability’s remote exploitability without authentication means attackers can target exposed web services directly, increasing the attack surface. This can lead to data breaches, loss of customer trust, and significant remediation costs. Additionally, the integrity impact could allow attackers to manipulate data, potentially disrupting business operations or enabling further attacks. Although availability is not directly impacted, the downstream effects of data compromise could indirectly affect service continuity.

European organizations should immediately upgrade Django installations to the patched versions: 5.1.14, 4.2.26, or 5.2.8 or later. If immediate upgrading is not feasible, organizations should audit their use of QuerySet.filter(), exclude(), get(), and Q() class invocations, especially those using dictionary expansion with the _connector argument, and avoid passing untrusted input in these contexts. Implement strict input validation and sanitization on all user-supplied data used in query construction. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting Django ORM queries. Conduct thorough code reviews and penetration testing focusing on ORM usage to identify potential injection points. Monitor application logs for anomalous query patterns indicative of injection attempts. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.